protecting network assets

Download Protecting Network Assets

Post on 10-Jan-2016




0 download

Embed Size (px)


Protecting Network Assets. CAMP: Bridging Security and Identity Management Christopher Misra 14 February 2008 Tempe, AZ. Agenda- DRAFT, needs to be updates. Automated Security and Policy Enforcement History New Challenges Background/Roles of: NAC IdM Network Segmentation - PowerPoint PPT Presentation


  • Agenda- DRAFT, needs to be updatesAutomated Security and Policy EnforcementHistoryNew ChallengesBackground/Roles of:NACIdMNetwork SegmentationWhat might we do?Firewall traversalGrid caseStandards

  • Session AbstractCan IAM be helpful in managing network intrusions and access policies? Can IAM correctly correlate identity to an endpoint device by combining network registration and personal identification? Can coupling network capabilities and IAM replace the use of IP addresses as the criterion for access with identity, roles, and related attributes?This session will explore these questions and how one can identify the person behind the device or address.

  • Managing Network Intrusions?Initial NAC deployments were not driven by architectural decisionsLarge numbers of unmanaged systems connected to campus networkPrimarily in residence hallsBattle scars from Code Red, Nimda, and BlasterHowever, we did leverage campus IAM successfullyAnd we effectively created a device registry Even if we didnt integrate this data with our IAM

  • How we got hereor, before NAC was coolWhy Automate Security and Policy Enforcement?From the SALSA-Netauth document Strategies for Automating Network Policy Enforcement:

    (A) major security challenge facing university residential networks and other large-scale end-user networks is the thousands of privately owned and unmanaged computers directly connected to an institution's relatively open, high-speed Internet connections. Security policy enforcement is often lax due to a lack of central control over end-user computers and an inability to tie the actions of these computers to particular individuals. A few times a year there are surge events, including the predictable start of each semester and the unpredictable and increasingly frequent reactions to large-scale security incidents, that require massive support intervention.

  • Even though it wasnt cool, we implemented NAC





    Take Enforcement Action and return to Policy Decision


    Lookup to Policy Repository


    Network Transitionsto New State

    Policy Action:None Required



    Network Transitions to a fully compliant or non-compliant final state.

    Policy Action: Move to new state

    External Event Occurs Policy Decision Check Required


    Policy Action:EnforcementAction Required

    Workflow Diagram

    Policy Decision

  • And here we areI guess NAC is cool now..Network Access Control: Vendor Definitions

    Using the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources Cisco

    combines user identity and device security state information with network location information, to create a unique access control policy - Juniper

  • Why did we implement NAC systems?Only automated approaches can scale and respond rapidly to large-scale incidents.

    Preventative policy enforcement reduces risk:overall number of security vulnerabilitiesthe success of any particular attack technique.

    Automated remediation systems have a positive impact on a large number of hosts with a relatively small time investment from computing staff.

  • Network Access ControlHigher education created many early systems of what is now termed NAC (Network Access Control)Southwestern Netreg, CMU Netreg, Packetfence, othersCurrently there are many commercial offerings in the space30+ vendors at last countMajor deployments by Cisco, Microsoft, Juniper and others

  • Network Access Control in Higher EdCharacteristics of higher ed networks lead to unique challengesLarge numbers of unmanaged systems connected to campus networkResidence hallsHeterogeneous computing baseFrequently no ubiquitous administration structureComplex network Use Cases

  • Network Access Control in Higher EdAssociating a device with an identityIs the user a member of the campus community?Leveraging campus IdMDetermining a hosts postureIs the host compliant with local policy?Measuring device state against campus IT security standardsRole-based network assignmentWhat network perimeter is appropriate for this host?vLAN, subnet, firewalls, ids

  • NAC BasicsRegistration options include:Open DHCP (free love)DHCP with MAC registration (netreg)Web middlebox (portal)802.1x (supplicant) Enforcement types include:vLAN isolation/DHCP scope isolationNetwork-based firewall/Host-based filtersClass of Service (rate limit)

  • NAC: Posture assessmentOriginal implementations used active network-based scanningWindows XP SP2 rained on this paradeBut security staff didnt complianceMany sites migrated to client-based posture assessmentRunning code on endpoints to validate complianceCould be implemented in the 802.1x supplicant

  • NAC is Complicated


    Policy Enforcement Point (PEP)

    Network Element

    Identity / Integrity

    Access Requestor (AR)

    Network Node

    Network Detection Point (NDP)

    Network Element

    Policy Decision Point (PDP)

    Policy Server



    Data Repository (DR)

    Policy,Authentication, Authorization DB

  • Federations have a role here alsoEnable members of one institution to authenticate to the wireless network at another institution using their home credentials E,g, eduroam which stands for Education Roaming, is a RADIUS-based infrastructure that uses 802.1X security technology to allow for inter-institutional roaming.Being part of eduroam allows users visiting another institution connected to eduroam to log on to the WLAN using the same credentials(username and password) the user would use if he were at his home institution. Effectively need to achieve identity discoveryAlso applicable to Grid environments

  • Correlating identity to device to privilegeWeve done a pretty effective job so farBut the drivers were not traditional IAM driversCan we assign a meaningful Level of Assurance to this correlation?Not so sure.Are we willing to use this correlation to grant privileges?Dynamic vLAN assignments?Firewall traversal capabiltiies?

  • Correlating identity to device to privilegeWe need to understand the relationship between user identity, device identity, and host integrity (posture)This is complicated further in a federated environmentDoes (user + device) == privilege?What about users with multiple roles?Is this a network, security, or idm problem?D) All of the above

    Perhaps we need to step back and take an architectural view of this

  • Drivers for NAC standards Community desire for interoperable componentsHeterogeneous campus environmentModular network architectureAbility to use commercial and open source componentsVendor-made switchesOpen-source registration and remediation

  • NAC Standards spaceTrusted Computing GroupTrusted Network Connect Vendor standardsCisco NACMicrosoft NAPIETF NEAChartered only for client-server protocols

  • Content Slide